Never Touched Default Settings? Consider Your Facebook Data Exposed
Until recently, Facebook allowed its users to search people using their email address or phone number. In an endless stream of privacy disasters that appear to be hitting Facebook, the company has now revealed that the feature that was designed to make it easier for people to search each other may have exposed their public information to malicious actors.
In a conference call held last night (some updates in our earlier post), Mark Zuckerberg said that after obtaining email IDs and phone numbers from the dark web, malicious actors would then search Facebook with those details to gain additional data on Facebook users. The scale of this activity seems unprecedented as Zuckerberg said that everyone who has this feature turned on (it’s enabled by default) may have had their public data scraped by hackers, researchers, and just about everyone else. Here’s an excerpt from Zuckerberg’s interview (emphasis is ours):
Everyone has a setting on Facebook, that controls — it’s right in your privacy settings — whether people can look you up by your contact information. Most people have that turned on, and that’s the default, but a lot of people have also turned it off. So it’s not quite everyone, but certainly the potential here would be that over the period of time that this feature has been around, people have been able to scrape public information. The information—that if you have someone’s phone number, you can put that in, and get a link to their profile which pulls their public information. So, I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.
This data – while already public – was extremely easy to scrape and was available on Facebook’s 2 billion users. It is unclear why the company failed to spot this activity in time and pulled the feature to avoid data exposure. From social engineering to profiling, this data is a goldmine for researchers and malicious actors. Zuckerberg said Facebook did have some protections in place, but they were bypassed by malicious actors.
We had basic protections in place to prevent rate-limiting, making sure that accounts couldn’t do a whole lot of searches. But we did see a number of folks who cycled through many thousands of IPs, hundreds of thousands of IP addresses to abade the rate-limiting system, and that wasn’t a problem we really had a solution to. So now, that’s partially why the answer we came to is to shut this down even though a lot of people are getting a lot of use out of it. That’s not something we necessarily want to have going on. In terms of the scale, I think the thing people should assume, given this is a feature that’s been available for a while and a lot of people use it in the right way, but we’ve also seen some scraping, I would assume if you had that setting turned on, that someone at some point has accessed your public information in this way.
“It’s clear now that we didn’t do enough,” Mark added. “We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well. That goes for fake news, foreign interference in elections, hate speech, in addition to developers and data privacy.”
Zuckerberg will testify before Congress on April 11. While yesterday’s conference call with the media was another form of apology coming from the Facebook chief, he is going to be grilled at the hearing for the multitude of failures that keep coming to the front. “We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake,” Zuck said.
“It was my mistake.”